[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] RE: Follow up on Authorize Only issue
- To: "Jeffrey Hutzelman" <jhutz@cmu.edu>, "Nelson, David" <dnelson@enterasys.com>
- Subject: RE: [Isms] RE: Follow up on Authorize Only issue
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Tue, 25 Jul 2006 21:33:56 -0700
- Authentication-results: sj-dkim-6.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <isms@ietf.org>, <radiusext@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=1799; t=1153888439; x=1154752439; c=relaxed/simple; s=sjdkim6002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20[Isms]=20RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue; X=v=3Dcisco.com=3B=20h=3Dj5JHVHOkk4k+d3Gjk+Lsn4+lNFg=3D; b=ObhMTwqu9X9VG2wrjKiHlEVyjha9qEjauP/hS63ZbJ1VU+iBfwPVT5NW1THH1fkiXhLf5OTX pz0BgELiMUQ3NdVHNFXgoBq68WvoQLu36P6hzqvVptSibnrdVB1dB1h9;
Jeffrey Hutzelman <mailto:jhutz@cmu.edu> supposedly scribbled:
> On Tuesday, July 25, 2006 02:16:41 PM -0700 "Glen Zorn (gwz)"
> <gwz@cisco.com> wrote:
>
>> Don't quite understand this either: if a server doesn't recognize the
>> postulated Asserted-Identity Attribute, it seems that as far as it is
>> concerned there will be no credential-bearing attribute in the
>> message. So just omitting any credential-bearing attribute (along
>> with the addition of the other stuff we've been talking about)
>> should get just the same response from a legacy server, right?
>
>> From a _legacy_ server, yes. The concern is about how this would
>> affect
> handling of some new authentication method invented in the future.
> Suppose there is a new method that requires a "Frobozz" attribute,
> and we have a client that sends a request using that method. A
> server which supports "Frobozz" will respond correctly, as will a
> server that does not support either "Frobozz" or authorize-only.
>
>
> However, a server that supports authorize-only but does _not_ support
> "Frobozz" will believe the client intended authorize-only, and will
> return a successful response on that basis, without verifying the
> user's identity.
> That's the situation which we need an "Asserted-Identity" attribute
> to avoid. The _contents_ of such an attribute are irrelevant; the
> important thing is an affirmative indication that the client meant
> authorize-only and not some unknown "Frobozz".
OK, one more time: that seems to be what a Service-Type of Authorize-Only would do....
>
> -- Jeff
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>